Lots of business owners avoid making the jump to online tools for marketing or selling because of security fears. Usually, however, the fears are misplaced. Yes, there are dangers and things you need to look out for, but the real dangers aren’t what people often think they are. I don’t know how many times during social media classes I had someone express concern about their personal information going public and being spread around the internet. Yes, that can happen–but I would usually point out that they have the option of not posting anything that they thought was too personal for the internet. And that getting stuff spread around the internet is precisely what marketing online is supposed to do.
On the flip side, many who are new to the digital world, or even those who just wouldn’t call themselves “tech savvy,” are not concerned about things that they really should be. Perhaps “concerned” is a little strong. But there are some basic things you can do to avoid making the stupid mistakes or fall prey to the opportunists out there in the less polite part of the internet. For example, the top two most common passwords on the internet right now are “123456” and “password” and hackers know that–heck, Slate published the 25 most common earlier this year. That’s why I’ve put together this three-part series on the basics of online security.
Part 1 will describe internal practices and follow-up that every company who spends any time online should pay attention to. Part 2 will cover passwords, and I’ll share a tool that will make doing it right really easy. Part 3 will close with some recommendations about avoiding data breaches and what to do if you get hacked (with the story of my own experience of being hacked) and how I got it cleaned up in about a day…well, one day after I stopped doing the wrong thing and made a key change. So, on with part 1!
Know Who Has Access to Your Accounts
I recently sent an email to a group I have worked with in the past, but am not currently doing any work for. I’d noticed that I was still an admin on a couple of their pages, which got me wondering about what else I still had access to. I checked other accounts I had with them when we worked together and I could still get in to every one of them. So in this email I let them know that they should remove me (and anyone else they’d given access to but no longer worked with) in case I go ballistic and decide to do whatever the digital equivalent of sweeping everything off the desk in a fit of rage would be.
While I’m not a danger to them, you never know when someone is either disgruntled or is less than perfectly honest. It’s best not to let outside people have access to your site, your social media pages, your traffic data, or your sales records.
What should you do, then? I’ve got two action items for you. There’s the cleanup of whatever mess you might have now, and there’s the system you’ll put in place so that a similar mess doesn’t get made in the future.
Cleanup Steps: Do an access audit. First, go through all of your accounts with an online login and just list them. Some ideas:
- Accounting records
- Ecommerce/web store
- Social media accounts (Google+, Facebook, Twitter, Instagram, LinkedIn, etc.)
- Email marketing (Mail Chimp, Constant Contact, etc.)
- Bank account
- State and local business- and tax-reporting agencies (here in Washington, that might include the Secretary of State, Department of Revenue, Labor and Industries, Department of Licensing, Employment Security Department, etc.)
- Web host and/or domain name registrar (for some people these are the same company and for others they’re two different companies)
- Cloud storage accounts (Google Drive, DropBox, etc.)
- Internal systems or programs (For example, can your sales people log in from their smart phone to check client details in your customer database?)
Next, for each site you listed, note of all the people that might have gotten access at some time. Think of interns, consultants, former employees, former business partners, and even friends that helped you out that one time. Many programs and sites allow the admin / owner / master / poweruser account to see a master list of all possible users, which might make some of these easy to assess.
Finally, for each access point, make sure that only the proper people can have access. Old usernames and other login information should be either deleted or at least have their passwords changed to something the old employee or whoever won’t know or guess.
Proactive Steps: Now that you’ve locked out anyone who should no longer have access, develop a sensible policy to track when someone is given access. This will allow you to easily revoke access when they shouldn’t have it any more. And have a way of triggering that review at an appropriate time—like scheduling an “update access” task for the day after someone’s last day when they give notice, or the week the contractor’s work is supposed to be done or the internship ends.
At the very least, put a little recurring task on your calendar to remind you stop, ask yourself the question “has anyone’s access status changed in the last 30 days?”, and take the appropriate action if the answer is “yes”. It’s not an ironclad plan, but even this could save you a heap of hurt and only takes a few moments each month.
This, of course, leads us to the teaser for the next part, which will be all about passwords! Don’t be like #17 on Slate’s list with “monkey” as your password. Or 111111. Bad. Instead, read the next article and be a password whiz!